Is freemobile-sms safe?

https://clawhub.ai/dClauzel/freemobile-sms

74
CAUTION

This skill provides a straightforward SMS notification capability via the Free Mobile API, with clean code and no malicious intent detected. However, the overly broad allowed-tools declaration (Bash(python3:*)) significantly expands the attack surface beyond what is needed for SMS sending, and the autonomous sending pattern without per-message user confirmation creates combination risks with prompt injection. The skill itself is benign but its permission model is too permissive.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 62/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (8)

MEDIUM Overly broad allowed-tools declaration -30

The skill declares allowed-tools: Bash(python3:*) which permits execution of ANY python3 command, not just the bundled FreeMobile_sms.py script. This grants the agent broad code execution capability that far exceeds the skill's stated purpose of sending SMS.

MEDIUM Broad python3 permission enables arbitrary data access -25

Combined with Bash(python3:*), a prompt injection or chained skill could instruct the agent to run python3 -c commands that read arbitrary files or environment variables and send them to external endpoints.

MEDIUM Autonomous SMS sending without user confirmation -10

The skill instructs the agent to send SMS whenever it 'wants to' notify the user, with no explicit requirement for per-message user approval. This could be exploited by injected instructions from other skills or contexts.

LOW API credentials sent as GET parameters -5

The Free Mobile API design sends user credentials (user ID and API key) as URL query parameters, which means they appear in server access logs and potentially in browser history. This is the upstream API's design choice, not the skill author's fault.

LOW Skill frames agent as autonomous decision-maker -8

The French-language skill describes the agent sending SMS 'à ton humain' (to your human), framing the agent as the autonomous actor deciding when to notify, rather than the user requesting notifications.

LOW SMS as potential data exfiltration side-channel -15

In combination with other skills, the 160-character SMS channel could be used to exfiltrate small secrets (API keys, passwords) to the subscriber's phone. While the skill only sends to the owner's number, this is a non-trivial combination risk.

INFO Standard runtime filesystem activity during install -5

Filesystem monitoring shows reads of .env, .aws/credentials, and OpenClaw config files during install. These are attributable to the OpenClaw agent runtime initialization, not the skill itself.

INFO External dependency on requests library -5

The Python script imports the requests library which is not vendored in the skill. Installation of this dependency could be a vector if the agent is instructed to run pip install.